b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Information Technology Management \n \n\n                Letter for the Immigration and \n \n\n            Customs Enforcement Component of \n \n\n            the FY 2010 DHS Financial Statement \n \n\n                             Audit\n \n\n\n\n\n\nOIG-11-70                                             April 2011\n\x0c                                                                               Office of Inspector General\n\n                                                                    U.S. Department ofHomeland Security\n                                                                                  Washington, DC 25028\n\n\n\n\n                                                            Homeland\n                                                            Security\n                                  APR 072011\n\n                                            Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (DIG) was established\nby the Homeland Security Act 0/2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act 0/1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2010\nImmigration and Customs Enforcement (ICE) component of the DHS financial statement audit\nas of September 30, 2010. It contains observations and recommendations related to information\ntechnology internal control that were summarized in the Independent Auditors\' Report dated\nNovember 12,2010 and presents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures\nat the ICE component in support of the DHS FY 2010 financial statements and prepared this IT\nmanagement letter. KPMG is responsible for the attached IT management letter dated March 1,\n2011, and the conclusions expressed in it. We do not express opinions on DHS\' financial\nstatements or internal control or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                   ~ Assistant Inspector General\n                                     Office of Information Technology Audits\n\x0c                                   KPMG LLP\n                                   2001 M Street, NW\n                                   Washington, DC 20036\n\n\nMarch 1, 2011\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nImmigration and Customs Enforcement\n\nLadies and Gentlemen:\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment), as of September 30, 2010 and the related statement of custodial activity for the year then\nended (herein after referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine the\nDepartment\xe2\x80\x99s internal control over financial reporting of the balance sheet as of September 30, 2010 and\nthe statement of custodial activity for the year then ended. We were not engaged to audit the statements\nof net cost, changes in net position, and budgetary resources as of September 30, 2010 (hereinafter\nreferred to as \xe2\x80\x9cother fiscal year (FY) 2010 financial statements\xe2\x80\x9d), or to examine internal control over\nfinancial reporting over the other FY 2010 financial statements.\nBecause of matters discussed in our Independent Auditors\xe2\x80\x99 Report, dated November 12, 2010, the scope\nof our work was not sufficient to enable us to express, and we did not express, an opinion on the financial\nstatements or on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting of the balance sheet as\nof September 30, 2010, and related statement of custodial activity for the year then ended. Additional\ndeficiencies in internal control over financial reporting, potentially including additional material\nweaknesses and significant deficiencies, may have been identified and reported had we been able to\nperform all procedures necessary to express an opinion on the financial statements or on the effectiveness\nof DHS\xe2\x80\x99 internal control over financial reporting of the balance sheet as of September 30, 2010, and\nrelated statement of custodial activity for the year then ended; and had we been engaged to audit the other\nFY 2010 financial statements, and to examine internal control over financial reporting over the other FY\n2010 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to merit\nattention by those charged with governance. A material weakness is a deficiency, or a combination of\ndeficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a timely basis.\nImmigration and Customs Enforcement (ICE), is a component of DHS. During our audit engagement, we\nnoted certain matters in the areas of information technology (IT) configuration management, access\ncontrols, security management, and segregation of duties with respect to ICE\xe2\x80\x99s financial systems\ninformation technology (IT) general controls, which we believe contribute to an IT material weakness at\nthe DHS level. These matters are described in the IT General Control Findings and Recommendations\nsection of this letter.\n\n\n\n\n                Information Technology Management Letter for the ICE Component\n                          of the FY 2010 DHS Financial Statement Audit\n                                    KPMG LLP is a Delaware limited liability partnership,\n                                    the U.S. member firm of KPMG International Cooperative\n                                    (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 12, 2010. This letter represents the separate limited distribution letter mentioned in that report.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR).\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or detect and\ncorrect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to\nthe risk that controls may become inadequate because of changes in conditions, or that the degree of\ncompliance with the policies or procedures may deteriorate. We aim to use our knowledge of ICE gained\nduring our audit engagement to make comments and suggestions that are intended to improve internal\ncontrol over financial reporting or result in other operating efficiencies. We have not considered internal\ncontrol since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key ICE financial systems and IT infrastructure within the scope of our engagement to\naudit the FY 2010 DHS financial statements in Appendix A; a description of each internal control finding\nin Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to\ncertain additional matters have been presented in a separate letter to the Office of Inspector General and\nthe ICE Chief Financial Officer.\n\nICE\xe2\x80\x99s written response to our comments and recommendations has not been subjected to auditing\nprocedures and, accordingly, we express no opinion on it.\n\nThis communication is intended solely for the information and use of DHS and ICE management, DHS\nOffice of Inspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and\nis not intended to be and should not be used by anyone other than these specified parties.\n\nVery truly yours,\n\n\n\n\n                Information Technology Management Letter for the ICE Component\n                          of the FY 2010 DHS Financial Statement Audit\n\x0c                                Department of Homeland Security\n \n\n                             Immigration and Customs Enforcement \n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\n\n             INFORMATION TECHNOLOGY MANAGEMENT LETTER\n                                       TABLE OF CONTENTS\n                                                                                                     Page\n\nObjective, Scope, and Approach                                                                        1\n\n\n\nSummary of Findings and Recommendations                                                               2\n\n\n\nIT General Control Findings and Recommendations \n\n  Configuration Management                                                                            3\n\n\n  Access Control                                                                                      3\n\n\n  Security Management                                                                                 3\n\n\n       After-Hours Physical Security Testing                                                          4\n\n\n       Social Engineering Testing                                                                     4\n\n\n  Segregation of Duties                                                                               4\n\n\nApplication Controls                                                                                  6\n\n\nManagement\xe2\x80\x99s Comments and OIG Response                                                                6\n\n\n                                             APPENDICES\n\nAppendix    Subject                                                                                  Page \n\n   A        Description of Key ICE Financial Systems and IT Infrastructure within the Scope of the    7\n\n            FY 2010 DHS Financial Statement Audit Engagement\n\n   B        FY 2010 Notices of IT Findings and Recommendations at ICE                                 9\n\n                \xe2\x80\xa2     Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings         10 \n\n   C        Status of Prior Year Notices of Findings and Recommendations and Comparison to            20 \n\n            Current Year Notices of Findings and Recommendations at ICE\n\n   D        Management Response                                                                       22 \n\n\n\n\n\n           Information Technology Management Letter for the ICE Component of the \n \n\n                           FY 2010 DHS Financial Statement Audit \n \n\n\x0c                                 Department of Homeland Security\n \n\n                              Immigration and Customs Enforcement \n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our engagement to audit DHS\xe2\x80\x99 balance sheet as of September 30, 2010 and the related\nstatement of custodial activity for the year then ended, we performed an evaluation of information\ntechnology general controls (ITGC) at ICE, to assist in planning and performing our audit. The Federal\nInformation System Controls Audit Manual (FISCAM), issued by the Government Accountability Office\n(GAO), formed the basis of our ITGC evaluation procedures. The scope of the ITGC evaluation is further\ndescribed in Appendix A.\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating general controls and the IT environment of a federal\nagency. FISCAM defines the following five control functions to be essential to the effective operation of\nthe general IT controls environment.\n\xe2\x80\xa2\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xe2\x80\xa2\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provides reasonable assurance\n   that systems are configured and operating securely and as intended.\n\xe2\x80\xa2\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\nTo complement our general IT controls audit procedures, we also performed technical security testing for\nkey network and system devices, as well as testing over key financial application controls in the ICE\nenvironment. The technical security testing was performed both over the Internet and from within select\nICE facilities, and focused on test, development, and production devices that directly support key general\nsupport systems.\n\n\n\n\n                Information Technology Management Letter for the ICE Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 1 \n \n\n\x0c                                Department of Homeland Security\n \n\n                             Immigration and Customs Enforcement \n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring fiscal year (FY) 2010, ICE took corrective action to address some prior year IT control\nweaknesses. For example, ICE made improvements over physical controls at facility entrances, and\nActive Directory Exchange (ADEX) user account lockout settings and recertifications. However, during\nFY 2010, we continued to identify IT general control weaknesses that could potentially impact ICE\xe2\x80\x99s\nfinancial data. The most significant findings from a financial statement audit perspective were related to\nthe Federal Financial Management System (FFMS) configuration and patch management, FFMS user\naccount management, and weaknesses over physical security and security awareness. Collectively, the IT\ncontrol deficiencies limited ICE\xe2\x80\x99s ability to ensure that critical financial and operational data were\nmaintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these\ncontrol deficiencies negatively impacted the internal controls over ICE financial reporting and its\noperation and we consider them to contribute to a material weakness at the Department level under\nstandards established by the American Institute of Certified Public Accountants (AICPA). In addition,\nbased upon the results of our test work, we noted that ICE did not fully comply with the requirements of\nthe Federal Financial Management Improvement Act (FFMIA).\nOf the 16 findings identified during our FY 2010 testing, 9 were new IT findings. These findings\nrepresent control deficiencies in four of the five FISCAM key control areas: configuration management,\naccess controls, security management, and segregation of duties. Specifically, these control deficiencies\ninclude: 1) inadequately designed and operating configuration management, 2) lack of effective\nsegregation of duties controls within financial applications, 3) lack of FFMS patch management, and 4)\nweak FFMS account management. These control deficiencies may increase the risk that the\nconfidentiality, integrity, and availability of system controls and ICE financial data could be exploited\nthereby compromising the integrity of financial data used by management as reported in DHS\xe2\x80\x99\nconsolidated financial statements. While the recommendations made by KPMG should be considered by\nICE, it is the ultimate responsibility of ICE management to determine the most appropriate method(s) for\naddressing the weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                Information Technology Management Letter for the ICE Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 2 \n \n\n\x0c                                 Department of Homeland Security\n \n\n                              Immigration and Customs Enforcement \n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n\n\n\n             IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\nDuring the FY 2010 DHS Financial Statement Audit, we identified the following ICE IT and financial\nsystem control deficiencies that in the aggregate significantly contribute to the material weakness at the\nDepartment level.\n\nConfiguration Management\n\xe2\x80\xa2\t Security configuration management control deficiencies on ADEX. These control deficiencies\n   included default installation and configuration settings on the Cisco routers.\n\xe2\x80\xa2\t Security configuration management over FFMS included:\n   - Network and servers were installed with default configuration settings and protocols.\n   - Mainframe production databases were installed and configured without baseline security\n       configurations. \n \n\n   - Servers have inadequate patch management. \n \n\n\nAccess Control\n\xe2\x80\xa2\t   FFMS password settings are not compliant with DHS policy.\n\xe2\x80\xa2\t   A lack of recertification of FFMS system users.\n\xe2\x80\xa2\t   Audit log policies and procedures have not been finalized, approved, and implemented.\n\xe2\x80\xa2\t   ADEX system access was not consistently removed for terminated employees and contractors.\n\xe2\x80\xa2\t   Weak physical and environmental controls at the ADEX and FFMS datacenters:\n     -\t Department of Commerce Office of Computer Services (OCS) (up to July 2010)\n             -\t Lack of OCS Data Center risk assessment.\n             -\t Lack of re-entry procedures for personnel after an emergency evacuation.\n             -\t Fire suppression testing documentation is not maintained.\n             -\t Water damage was visible on the data center wall where FFMS servers are housed with\n                  no incident report of the event.\n             -\t Uninterruptible Power Supply (UPS) testing documentation is not maintained.\n     -\t Clarksville Data Center (DC2) (as of July 2010)\n             -\t Emergency re-entry procedures have not been documented and authorized.\n             -\t FFMS server is inappropriately marked with a label that identifies the application/data on\n                  the server. \n \n\n     - Potomac Center North (PCN) \n \n\n             - Environmental test results are not documented and maintained for the Heating, \n \n\n                  Ventilating, Air Conditioning (HVAC), fire extinguishers, and the UPS. \n \n\n\nSecurity Management\n\xe2\x80\xa2\t Procedures for transferred and terminated personnel exit processing are not being consistently\n   followed.\n\xe2\x80\xa2\t IT Security training is not mandatory nor is compliance monitored.\n\n                 Information Technology Management Letter for the ICE Component \n \n\n                           of the FY 2010 DHS Financial Statement Audit \n \n\n                                             Page 3 \n \n\n\x0c                                  Department of Homeland Security\n \n\n                               Immigration and Customs Enforcement \n \n\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n\n\n\nAfter-Hours Physical Security Testing:\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects included physical access to media and equipment that\nhoused financial data and information residing within a ICE employee\xe2\x80\x99s or contractor\xe2\x80\x99s work area, which\ncould be used by others to gain unauthorized access to systems housing financial information. The testing\nwas performed at various ICE locations that process and/or maintain financial data. The specific results\nare listed as shown in the following table:\n                                                   Total Exceptions by Type                Total\n                                         TechWorld 10th        PCN            PCN        Exceptions\n      Exceptions Noted                       floor           3rd floor      4th floor     by Type\n      User Name and Passwords                  13                6             13            32\n      Keys/Badges                              1                 0              0             1\n      Personally Identifiable                  9                 2              2            13\n      Information (PII)\n      Server Names/IP Addresses                1                0              2             3\n      Laptops                                  2                2              1             5\n      External Drives                          0                0              1             1\n      Credit Cards                             2                0              0             2\n      Internal Drive                           1                0              1             2\n      Total Exceptions by Location             29               10             20            59\n\n\nSocial Engineering Testing:\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to deception for the purpose of information\ngathering, or gaining computer system access, as shown in the following table:\n        Total          Total         Number of people who provided a username and/or password\n        Called       Answered\n         25             14           1 \xe2\x80\x93 Both User Name and Password\n\nSegregation of Duties\n\xe2\x80\xa2\t FFMS roles and responsibilities for the Originator, Funds Certification Official, and Approving\n   Official profiles were not effectively segregated.\n\nRecommendations:\nWe recommend that the ICE Chief Information Officer and Chief Financial Officer, in coordination with\nthe DHS Office of Chief Financial Officer and the DHS Office of the Chief Information Officer, make the\nfollowing improvements to ICE\xe2\x80\x99s financial management systems and associated information technology\nsecurity program.\n\nFor Configuration Management\n\n                 Information Technology Management Letter for the ICE Component \n \n\n                           of the FY 2010 DHS Financial Statement Audit \n \n\n                                             Page 4 \n \n\n\x0c                                Department of Homeland Security\n \n\n                             Immigration and Customs Enforcement \n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\xe2\x80\xa2\t Ensure that password configuration settings are properly and effectively applied.\n\xe2\x80\xa2\t Implement the appropriate FFMS database and network server patches in order to ensure patch\n   management compliance.\n\nFor Access Controls\n\xe2\x80\xa2\t Update the FFMS password configuration settings to ensure that they are in compliance with DHS\n   4300A policies.\n\xe2\x80\xa2\t Establish and implement policies and procedures to formally document the recertification of FFMS\n   user privileges. This process should include a method to document user recertification and a process\n   to maintain evidence of the reviews.\n\xe2\x80\xa2\t Finalize, approve, and implement the draft FFMS audit log policy and procedures.\n\xe2\x80\xa2\t Ensure implementation of the ICE Exit Clearance Directive which will establish the process for\n   separating employees, both Federal and contractors, and formalize a process to ensure that separating\n   employees have their access to all ICE information technology systems removed.\n\xe2\x80\xa2\t As of July 2010, FFMS was moved from the OCS to Clarksville Data Center (DC2). Therefore, we\n   recommend that the Clarksville Data Center (DC2) be reviewed and monitored to ensure compliance\n   with all physical and data security requirements.\n\xe2\x80\xa2\t Ensure that re-entry procedures are properly documented at the Clarksville Data Center (DC2) and\n   that servers are not inappropriately identified.\n\xe2\x80\xa2\t Ensure that the HVAC, fire extinguishers, and UPS environmental systems are tested annually and the\n   results are documented and maintained.\n\nFor Security Management\n\xe2\x80\xa2\t Establish and implement a policy which governs the exit clearance process and identifies the\n   procedures that separating employees and contractors must take to ensure the return and\\or\n   safeguarding of government property, equipment, and systems; and the roles and responsibilities of\n   ICE offices involved in the exit clearance process.\n\xe2\x80\xa2\t OCIO provide management oversight and guidance for training personnel with significant\n   responsibilities for information security.\n\xe2\x80\xa2\t Continue prioritizing security awareness and social engineering risks in the Annual Information\n   Assurance Awareness Training (IAAT).\n\nFor Segregation of Duties\n\xe2\x80\xa2\t Enforce policies and procedures to ensure that assigned roles and responsibilities are commensurate\n   with personnel job functions.\n\n\n\n\n               Information Technology Management Letter for the ICE Component \n \n\n                         of the FY 2010 DHS Financial Statement Audit \n \n\n                                           Page 5 \n \n\n\x0c                                Department of Homeland Security\n \n\n                             Immigration and Customs Enforcement \n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\n                                   APPLICATION CONTROLS\nAs a result of the control deficiencies noted above in the Information Technology General Controls,\nmanual compensating controls were tested in place of application controls.\n\n                   MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\nThe OIG received written comments on a draft of this report from ICE management. Generally, ICE\nmanagement agreed with all of our findings and recommendations. ICE management has developed a\nremediation plan to address these findings and recommendations. A copy of the comments is included in\nAppendix D.\n\nOIG Response\nWe agree with the steps that ICE management is taking to satisfy these recommendations.\n\n\n\n\n                Information Technology Management Letter for the ICE Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 6 \n \n\n\x0c                                                                         Appendix A\n                      Department of Homeland Security\n \n\n                   Immigration and Customs Enforcement \n \n\n                  Information Technology Management Letter\n                             September 30, 2010\n\n\n\n\n                               Appendix A\n\n\nDescription of Key ICE Financial Systems and IT Infrastructure\nwithin the Scope of the FY 2010 DHS Financial Statement Audit\n\n\n\n\n        Information Technology Management Letter for the ICE Component \n \n\n                  of the FY 2010 DHS Financial Statement Audit \n \n\n                                    Page 7 \n \n\n\x0c                                                                                             Appendix A\n                                 Department of Homeland Security\n \n\n                              Immigration and Customs Enforcement \n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n\n\n\nFederal Financial Management System (FFMS)\nThe FFMS is a Chief Financial Officer (CFO) designated financial system and certified software\napplication that conforms to OMB Circular A-127 and implements the use of a Standard General Ledger\nfor the accounting of agency financial transactions. It is used to create and maintain a record of each\nallocation, commitment, obligation, travel advance and accounts receivable issued. It is the system of\nrecord for the agency and supports all internal and external reporting requirements. FFMS is a\ncommercial off-the-shelf financial reporting system and is built on Oracle 9i Relational Database\nManagement System running off an IBM 9672 Mainframe with ZOS 1.4 platform. The FFMS operating\nsystem operates off an IBM ZOS, Version 1.4 Mainframe Server and Microsoft Windows 2000 report\nservers protected by firewalls. It includes the core system used by accountants, FFMS Desktop that is\nused by average users, and a National Finance Center (NFC) payroll interface. As of July 2010, the\nFFMS mainframe component and two network servers are hosted at the Department of Homeland\nSecurity (DHS) Clarksville Data Center (DC2) facility located in Clarksville, Virginia. Prior to July, the\nsystem was housed at Department of Commerce located in Springfield, VA. FFMS currently interfaces\nwith the following systems:\n\xe2\x80\xa2\t Direct Connect for transmission of DHS payments to Treasury\n\xe2\x80\xa2\t Fed Travel\n\xe2\x80\xa2\t The Biweekly Examination Analysis Reporting (BEAR) and Controlling Accounting Data Inquiry\n   (CADI), for the purpose of processing National Finance Center (NFC) user account and payroll\n   information.\n\xe2\x80\xa2\t The Debt Collection System (DCOS)\n\xe2\x80\xa2          Bond Management Information System (BMIS) Web\n\nICE Network\nThe ICE Network, also known as the Active Directory/Exchange (ADEX) E-mail System, is a major\napplication for ICE and other DHS components, such as the United States Citizenship and Immigration\nServices (USCIS). The ADEX servers and infrastructure for the headquarters and National Capital Area\nare located on the third floor of the Potomac Center North Tower in Washington, DC. The ICE Network\nutilizes a hybrid mesh/hub and mesh network design to maximize redundancy throughout the network.\nICE operates off of Dell PowerEdge 2950, HP ProLiant DL 385 Server, HP ProLiant BL45p Server\nBlade, HP BL 25P Blade Server, and EMC Symmetrix DM. ADEX has implemented Microsoft\nWindows 2003 Enterprise Server operating system to provide directory, domain control, and network\nservices to clients. For security purposes, ADEX has implemented firewalls and a logical Layer-3\nencrypted overlay network through the use of Generic Routing Encapsulation (GRE) and IPSec tunneling.\nADEX currently interfaces with the following systems:\n\xe2\x80\xa2\t Diplomatic Telecommunications Service Program Office (DTSPO) ICENet Infrastructure\n\n\n\n\n                Information Technology Management Letter for the ICE Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 8 \n \n\n\x0c                                                                       Appendix B\n                    Department of Homeland Security\n \n\n                 Immigration and Customs Enforcement \n \n\n                Information Technology Management Letter\n                           September 30, 2010\n\n\n\n\n                             Appendix B \n \n\nFY 2010 Notices of IT Findings and Recommendations at ICE \n \n\n\n\n\n\n      Information Technology Management Letter for the ICE Component \n \n\n                of the FY 2010 DHS Financial Statement Audit \n \n\n                                  Page 9 \n \n\n\x0c                                                                                           Appendix B\n                                   Department of Homeland Security\n \n\n                                Immigration and Customs Enforcement \n \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the\nDepartment of Homeland Security (DHS) Consolidated Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity\nfor consolidated reporting purposes.\n\nThese rating are provided only to assist the DHS in prioritizing the development of its corrective action\nplans for remediation of the deficiency.\n\n\n\n\n                Information Technology Management Letter for the ICE Component \n \n\n                          of the FY 2010 DHS Financial Statement Audit \n \n\n                                            Page 10 \n \n\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                               Immigration and Customs Enforcement\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n                                         Notice of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n NFR                                                                                                                        New     Repeat   Severity\n                                Condition                                            Recommendation\n No.                                                                                                                        Issue    Issue    Rating\nICE-IT-   During the FY 2009 financial statement audit, KPMG          ICE should establish and implement a policy                                3\n 10-01    performed an inspection of a sample of personnel that       governing the exit clearance process, identifying\n          had terminated/transferred from their employment            the procedures separating employees and\n          with ICE during the fiscal year. KPMG requested             contractors must take to ensure the return and\\or\n          evidence that exit clearance forms were completed for       safeguarding of government property, equipment,         X\n          each employee to determine ICE management\xe2\x80\x99s                 and systems; and the roles and responsibilities of\n          compliance with exit clearance procedures. Of the 25        ICE offices involved in the exit clearance process.\n          terminated/transferred ICE personnel sampled,\n          evidence of compliance with exit clearance procedures\n          could not be provided for 12 employees.\n\n          During the FY 2010 financial statement audit, KPMG\n          was informed that a policy and procedure has not been\n          developed for the Personnel Exiting Process. ICE\n          management stated that the Office of Human Capital\n          (OHC) has implemented a multi-year mission action\n          plan to address this and various other issues, but there\n          has been no corrective action taken at this time.\n\nICE-IT-   During the FY 2009 audit, KPMG inquired of ICE              ICE should update the FFMS password                                        3\n 10-02    OCIO personnel about FFMS password settings. We             configuration settings to ensure that they are in\n          determined that the FFMS password settings require          compliance with DHS 4300A policies.\n          the use of an underscore and does not allow the use of\n          any other special characters such as !, @, #, $, %, or *,                                                           X\n          which is not compliant with DHS policy. The DHS\n          policy requires that passwords contain a combination\n          of alphabetic, numeric, and special characters.\n\n          During the FY 2010 audit, we performed follow-up\n          inquiry to determine the status of this weakness and\n\n                                Information Technology Management Letter for the ICE Component                      \n\n\n                                          of the FY 2010 DHS Financial Statement Audit\n                                                                                                      \n\n\n\n\n\n                                                            Page 11\n                                                                               \n\n\x0c                                                                                                                                 Appendix B\n                                                Department of Homeland Security\n                                             Immigration and Customs Enforcement\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\n NFR                                                                                                                     New     Repeat   Severity\n                               Condition                                          Recommendation\n No.                                                                                                                     Issue    Issue    Rating\n          learned that the FFMS password setting control\n          weakness has not been remediated. ICE management\n          stated that a change to the system has been requested\n          to include two additional characters in the password\n          complexity. The special characters that will be added\n          once the change is implemented are the #, $, and\n          underscore. KPMG noted that Oracle uses the\n          following characters (!, @, %, ^, &, *) as function\n          key, therefore, they cannot be included in the\n          password complexity. The remediation completion\n          date is scheduled for November 2010.\n\nICE-IT-   During the FY 2009 audit, KPMG inquired of ICE           ICE management should establish and implement                              2\n 10-03    OCIO personnel about the process for recertifying        policies and procedures to formally document the\n          FFMS user access (review of access privileges) and       recertification of FFMS user privileges. This\n          found that this process is not formally documented.      activity is the responsibility of OFM and the ISSO.\n          Furthermore, KPMG found that the review for the          This process should include a method to document        X\n          access privileges for each FFMS account is not           user recertification and a process to maintain\n          adequately recorded and no audit trail is available to   evidence of the reviews.\n          support that a recertification was completed.\n\n          During the FY 2010 financial statement audit, we\n          performed follow-up inquiry to determine the status of\n          this weakness and learned that procedures have been\n          documented and implemented for the FFMS\n          recertification process, however, a formal policy has\n          not been documented. KPMG found that users\xe2\x80\x99 logical\n          access privileges were reviewed, recorded, and\n          maintained, therefore this portion of the PY NFR as\n          been remediated. However, per inquiry with ICE\n          management KPMG found that a formal policy still\n          does not exist for the recertification of FFMS\n          accounts.\n\n                              Information Technology Management Letter for the ICE Component                    \n\n\n                                        of the FY 2010 DHS Financial Statement Audit\n                                                                                                  \n\n\n\n\n\n                                                          Page 12\n                                                                           \n\n\x0c                                                                                                                                  Appendix B\n                                                 Department of Homeland Security\n                                              Immigration and Customs Enforcement\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                      New     Repeat   Severity\n                               Condition                                           Recommendation\n No.                                                                                                                      Issue    Issue    Rating\nICE-IT-   During the FY 2009 financial statement audit, KPMG        ICE should enforce policies and procedures to                              3\n 10-04    performed an inspection of a listing of FFMS users        ensure that assigned roles and responsibilities are\n          and their assigned roles/responsibilities and             commensurate with personnel job functions.\n          determined that 6 users had Originator, Funds\n          Certification Official, and Approving Official profiles                                                           X\n          that were in violation of FFMS segregation of duties\n          policies.\n\n          During the FY 2010 financial statement audit, we\n          performed follow-up inquiry to determine the status of\n          this weakness and learned that draft FFMS segregation\n          of duty policy is in place, but, is not being followed.\n          In addition, KPMG inspected a listing of FFMS users\n          and their assigned roles/responsibilities and\n          determined that one user had Originator, Funds\n          Certification Official, and a Approving Official\n          profile, which is a violation of the FFMS segregation\n          of duties policy.\n\nICE-IT-   During the FY 2010 financial statement audit, KPMG        ICE OFM will finalize, seek approval, and              X                   3\n 10-05    determined that FFMS audit logs were not generated        formally implement the draft policy and\n          or reviewed during the period October 2009 through        procedures. In the meantime, the draft policy will\n          February 2010. As of March 2010, the logs were            be used to provide an accurate audit log.\n          generated and reviewed, however, no supporting\n          evidence could be provided. Additionally, we\n          determined that audit log policy and procedures have\n          been drafted; however, they have not been finalized,\n          approved, and implemented.\n\nICE-IT-   During the FY 2009 financial statement audit, KPMG        Ensure implementation of the ICE Exit Clearance                            3\n 10-06    determined that weaknesses exist over ADEX access.        Directive which will establish the process for\n          Specifically, KPMG found that 14 users, which were        separating employees, both Federal and\n          separated from ICE, still had active ADEX accounts        contractors, and formalize a process to ensure that\n          that were not removed upon their termination/transfer.    separating employees have their access to all ICE       X\n                               Information Technology Management Letter for the ICE Component                    \n\n\n                                         of the FY 2010 DHS Financial Statement Audit\n                                                                                                   \n\n\n\n\n\n                                                           Page 13\n                                                                            \n\n\x0c                                                                                                                               Appendix B\n                                                 Department of Homeland Security\n                                              Immigration and Customs Enforcement\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                   New     Repeat   Severity\n                               Condition                                          Recommendation\n No.                                                                                                                   Issue    Issue    Rating\n          During the FY 2010 financial statement audit, we          information technology systems removed.\n          performed follow-up inquiry to determine the status of\n          this weakness and learned that ICE has implemented a\n          compensating control that will disable users account\n          after 45 days of inactivity to mitigate the control\n          weakness. However, KPMG found that a separated\n          employee\xe2\x80\x99s account was not disabled in a timely\n          manner as the account was accessed after the\n          employee\xe2\x80\x99s termination date. Therefore, the 45-day\n          window was inappropriately delayed. In addition, we\n          determined that DHS access controls policies are not\n          being followed as users are not properly identified and\n          authenticated. Based on ICE management\xe2\x80\x99s response\n          to this weakness \xe2\x80\x9ceither another user logged on as the\n          terminated user or Information Technology Field\n          Officer (ITFO) logged in using the terminated\n          employee\xe2\x80\x99s credentials.\xe2\x80\x9d\n\nICE-IT-   During the FY 2010 financial statement audit, KPMG        As of July 2010 FFMS has been moved from the        X                   2\n 10-07    determined that several physical and environmental        Department of Commerce OCS to the Clarksville\n          controls exist within the OCS Datacenter. Specifically,   Data Center 2 (DC2). DC2 will be reviewed and\n          we noted the following:                                   monitored to ensure compliance with all physical\n          \xe2\x80\xa2 OCS Data Center Risk Assessment is not                  and data security requirements.\n              documented.\n          \xe2\x80\xa2 Re-entry procedures for personnel after an\n              emergency evacuation are not documented.\n          \xe2\x80\xa2 Fire suppression testing documentation is not\n              maintained.\n          \xe2\x80\xa2 Water damage was visible on the data center wall\n              where FFMS servers are housed with no incident\n              report of the event.\n          \xe2\x80\xa2 UPS testing documentation is not maintained.\n\n\n                               Information Technology Management Letter for the ICE Component                 \n\n\n                                         of the FY 2010 DHS Financial Statement Audit\n                                                                                                 \n\n\n\n\n\n                                                           Page 14\n                                                                            \n\n\x0c                                                                                                                               Appendix B\n                                                 Department of Homeland Security\n                                              Immigration and Customs Enforcement\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                   New     Repeat   Severity\n                               Condition                                           Recommendation\n No.                                                                                                                   Issue    Issue    Rating\nICE-IT-   During the FY 2010 financial statement audit, we          Ensure that environmental systems (HVAC, fire       X                   2\n 10-08    determined that the environmental controls in the PCN     extinguishers, and UPS) are tested annually with\n          computer room need improvement. Specifically, we          test results made available for review.\n          found that environmental test results are not\n          documented and maintained for the following devices:\n          AC units, fire extinguishers, and back-up power\n          supply.\nICE-IT-   Social engineering is defined as the act of attempting    Social Engineering is covered in the Annual                             3\n 10-09    to manipulate or deceive people into taking action that   Information Assurance Awareness Training\n          is inconsistent with DHS policies, such as divulging      (IAAT) \xe2\x80\x93 which is a requirement for all ICE\n          sensitive information or allowing/enabling computer       employees. The IAAT should continue to stress\n          system access. The term typically applies to trickery     social engineering risks and greater outreach        X\n          or deception for the purpose of information gathering,    should be achieved.\n          or computer system access.\n\n          During the course of our social engineering test work,\n          the objective was primarily focused on attempting to\n          identify user IDs and passwords. Posing as DHS\n          technical support employees, attempts were made to\n          obtain this type of account information by contacting\n          randomly selected employees by telephone. A script\n          was used to ask for assistance from the ICE user in\n          resolving a network issue in the component. For each\n          person we attempted to call, we noted whether the\n          individual was reached and whether we obtained any\n          information from them that should not have been\n          shared with us according to DHS policy. Our\n          selection of desks and offices was not statistically\n          derived, and therefore we are unable to project results\n          to the component or department as a whole.\n\n          During the FY 2010 financial statement audit, we\n          learned that ICE continues to promote security\n          awareness training by distributing a weekly newsletter\n                               Information Technology Management Letter for the ICE Component                    \n\n\n                                         of the FY 2010 DHS Financial Statement Audit\n                                                                                                   \n\n\n\n\n\n                                                           Page 15\n                                                                            \n\n\x0c                                                                                                                            Appendix B\n                                                 Department of Homeland Security\n                                              Immigration and Customs Enforcement\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                New     Repeat   Severity\n                               Condition                                          Recommendation\n No.                                                                                                                Issue    Issue    Rating\n          to employees and contractors about security\n          awareness. However, KPMG found that the prior year\n          security weakness still exists.\nICE-IT-   We performed after-hours physical security testing to     Security Awareness is covered in the Annual      X                   3\n 10-10    identify risks related to non-technical aspects of IT     IAAT \xe2\x80\x93 which is a requirement for all ICE\n          security. These non-technical IT security aspects         employees. The IAAT should continue to stress\n          include physical access to equipment that houses          security awareness risks and greater outreach\n          financial data and information residing on an ICE         should be achieved.\n          employee\xe2\x80\x99s desk which could be used by others to\n          inappropriately access financial information. The\n          testing was performed at various ICE locations that\n          process and/or maintain component financial data.\n          After gaining access to the facilities via an ICE\n          employee designated to assist with and monitor our\n          testwork, we inspected a random selection of desks\n          and offices looking for items such as improper\n          protection of system user names and passwords,\n          unsecured       information      system      hardware,\n          documentation containing Personally Identifiable\n          Information (PII) or marked \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d\n          (FOUO), and unlocked network sessions.\n                                                           Our\n          selection of desks and offices was not statistically\n          derived, and therefore we are unable to project results\n          to the component or department as a whole. For each\n          location visited, we noted the type of unsecured\n          information or property we identified and included the\n          total exceptions noted by location, as well as by type\n          of information or property identified.\n\n          During the FY 2010 financial statement audit, we\n          learned that ICE continues to promote security\n          awareness training and distributes a weekly newsletter\n          to employees and contractors about security\n          awareness. However, KPMG found that security\n                               Information Technology Management Letter for the ICE Component                 \n\n\n                                         of the FY 2010 DHS Financial Statement Audit\n                                                                                                 \n\n\n\n\n\n                                                           Page 16\n                                                                            \n\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n                                               Immigration and Customs Enforcement\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                       New     Repeat   Severity\n                                Condition                                           Recommendation\n No.                                                                                                                       Issue    Issue    Rating\n          weaknesses still exist.\nICE-IT-   In FY 2009, we found that ICE lacked policies and           OCIO will provide management oversight and                                2\n 10-11    procedures requiring completion of a training program       guidance for training personnel with significant\n          by personnel in IT security positions.                      responsibilities for information security.\n\n          During the FY 2010 financial statement audit, we                                                                   X\n          learned that to correct the prior year NFR, ICE follows\n          DHS 4300A policy for training personnel in IT\n          security positions, therefore, this portion of the NFR is\n          closed. However, during our testwork we determined\n          that weaknesses still exist over training personnel in\n          IT security positions. Specifically, we determined that\n          27 out of 45 IT security personnel have not completed\n          specialized training.\nICE-IT-   During the FY 2010 financial statement audit, KPMG          ICE should ensure that re-entry procedures are        X                   2\n 10-12    determined that physical safeguard weaknesses exist at      properly documented at the Clarksville Data\n          the Clarksville Data Center (DC2). Specifically, we         Center (DC2) and make certain that servers are not\n          determined the following:                                   inappropriately identified.\n          \xe2\x80\xa2 Re-entry procedures after an emergency have\n               been implemented, however, the procedures are\n               not documented.\n          \xe2\x80\xa2 FFMS server is inappropriately marked with a\n               label that identifies the application/data on the\n               server.\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment             ICE should take the necessary steps to begin          X                   3\n 10-13    efforts of ICE\xe2\x80\x99s FFMS network, servers and databases        examining the default configuration installations\n          performed in August 2010, KPMG identified several           and system services installed on FFMS devices\n          High/ Medium Risk vulnerabilities, related to               and determine if the default configurations can be\n          configuration management such as:                           set to increase FFMS\xe2\x80\x99s security or, in the case of\n          \xe2\x80\xa2 Hot Standby Router Protocol (HSRP) default                unnecessary system services, deleted to reduce\n               installation on Cisco routers and switches             FFMS vulnerability to attack.\n          \xe2\x80\xa2 Default \xe2\x80\x9cOracle Listener Program (tnslsnr)\xe2\x80\x9d\n               service password on server installation\n\n                                Information Technology Management Letter for the ICE Component                    \n\n\n                                          of the FY 2010 DHS Financial Statement Audit\n                                                                                                     \n\n\n\n\n\n                                                            Page 17\n                                                                              \n\n\x0c                                                                                                                           Appendix B\n                                               Department of Homeland Security\n                                            Immigration and Customs Enforcement\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\n NFR                                                                                                               New     Repeat   Severity\n                              Condition                                        Recommendation\n No.                                                                                                               Issue    Issue    Rating\n          \xe2\x80\xa2   Outdated Microsoft Operating Systems\n          \xe2\x80\xa2   Bonjour (also known as ZeroConf or mDNS)\n              listening protocol\n          \xe2\x80\xa2 Remote web server HTML form fields transmits\n              data in clear text\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment         ICE should take the necessary steps to begin      X                   3\n 10-14    efforts of ICE\xe2\x80\x99s FFMS network servers and databases     applying the appropriate FFMS database patches\n          performed in August 2010, KPMG identified several       to ensure patch compliance.\n          High/ Medium Risk vulnerabilities, related to several\n          configuration and patch management weaknesses\n          within the configuration of the FFMS ICE and United\n          State Citizenship and Immigration Service (USCIS)\n          Oracle database instances such as:\n          \xe2\x80\xa2 Clear text passwords stored in database\n          \xe2\x80\xa2 Outdated patches\n          \xe2\x80\xa2 Table security configurations\n          \xe2\x80\xa2 User account privileges\n          \xe2\x80\xa2 Password settings for users and database\n\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment         ICE should take the necessary steps to begin      X                   3\n 10-15    efforts of ICE\xe2\x80\x99s FFMS network servers and databases     applying the appropriate FFMS patches to the\n          performed in August 2010, KPMG identified several       FFMS network servers and databases to ensure\n          High/ Medium Risk vulnerabilities, related to missing   patch compliance.\n          or inadequate patches such as:\n          \xe2\x80\xa2 Microsoft Patches\n          \xe2\x80\xa2 Adobe Reader\n          \xe2\x80\xa2 Apache Tomcat\n          \xe2\x80\xa2 Java Runtime Environment (JRE)\n          \xe2\x80\xa2 Oracle Database (server installation)\n          \xe2\x80\xa2 HP System Management\n          \xe2\x80\xa2 Internet Explorer\n\n                              Information Technology Management Letter for the ICE Component              \n\n\n                                        of the FY 2010 DHS Financial Statement Audit\n                                                                                              \n\n\n\n\n\n                                                          Page 18\n                                                                         \n\n\x0c                                                                                                                         Appendix B\n                                              Department of Homeland Security\n                                           Immigration and Customs Enforcement\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n NFR                                                                                                             New     Repeat   Severity\n                              Condition                                      Recommendation\n No.                                                                                                             Issue    Issue    Rating\n          \xe2\x80\xa2   MySQL database\n\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment       ICE should ensure that password configuration     X                   3\n 10-16    efforts of ICE\xe2\x80\x99s ADEX network servers and devices     settings are properly and effectively applied.\n          performed in August 2010, KPMG identified a default\n          installation and configurations for the Hot Standby\n          Router Protocol (HSRP) on the Cisco routers.\n\n\n\n\n                             Information Technology Management Letter for the ICE Component             \n\n\n                                       of the FY 2010 DHS Financial Statement Audit\n                                                                                            \n\n\n\n\n\n                                                         Page 19\n                                                                       \n\n\x0c                                                                              Appendix C\n                       Department of Homeland Security\n \n\n                    Immigration and Customs Enforcement \n \n\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n                                Appendix C \n \n\n\nStatus of Prior Year Notices of Findings and Recommendations and \n \n\n                          Comparison to \n \n\n Current Year Notices of Findings and Recommendations at ICE \n \n\n\n\n\n\n         Information Technology Management Letter for the ICE Component \n \n\n                   of the FY 2010 DHS Financial Statement Audit \n \n\n                                     Page 20 \n \n\n\x0c                                                                                              Appendix C\n                                Department of Homeland Security\n                             Immigration and Customs Enforcement\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n                                                                                         Disposition\n NFR No.                                 Description                               Closed         Repeat\n\nICE-IT-09-11   Ineffective physical security controls at facility entrances          X\nICE-IT-09-12   Ineffective/non-compliant account lockout counter settings            X\nICE-IT-09-13   Ineffective password settings in FFMS                                               10-02\nICE-IT-09-14   Ineffective ADEX user access recertification process                  X\nICE-IT-09-15   Ineffective FFMS access recertification process                                     10-03\nICE-IT-09-16   Terminated/transferred personnel are not removed from ADEX\n               in a timely manner                                                                  10-06\nICE-IT-09-17   Segregation of duty policies are not enforced in FFMS                               10-04\nICE-IT-09-18   Background reinvestigations are not conducted in a timely\n                                                                                     X\n               manner for contractors\nICE-IT-09-19   Procedures for transferred/terminated personnel exit processing\n                                                                                     X             10-01\n               are not allowed\nICE-IT-09-20   Training for IT security personnel is not mandatory                                 10-11\nICE-IT-09-21   Vulnerability Assessment - Network devices were installed with                      10-13\n               default configuration settings and protocols; inadequate patches;                  through\n               and weak/ generic passwords                                                         10-16\nICE-IT-09-22   Physical Security and Security Awareness Issues Identified\n                                                                                                   10-09\n               during Enhanced Security Testing\nICE-IT-09-23   IT Security Awareness Training requirements are not enforced          X\n\n\n\n\n               Information Technology Management Letter for the ICE Component \n \n\n                         of the FY 2010 DHS Financial Statement Audit \n \n\n                                           Page 21 \n \n\n\x0c                                                                                            Appendix D\n                              Department of Homeland Security \n\n                           Immigration and Customs Enforcement \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\n                                                                ~~:i;"\'\'\'\'\'\'C           If....\n                                                                 ...... :puo. ex: 2m~\n\n\n\n\n                                     February 14,2011\n\n\n\nMEMORANDUM FOR.;             Frank Deffer\n                             Assistant Inspector GeneraJ\n                             Infonnation Technology Audits\n\n\n                             Radha C. Sekar\n                             Chief Financial O\'ffi<.,../\n                           \xe2\x80\xa2 U.S. lmmigration and Customs Enforcement\n\n                             Response to Draft Report: "lnjormaJion Technology MaMgernenJ\n                             Letter/or the Immigration and Customs En/orcemenl ComponenJ\n                             o/the FY 2010 DHS Financial SlatemUJI A.udit"\n\n\n\nThank you for the opportunity to comment on the above subject dnlft report, dated February 3,\n2011.\n\nICE coocws with all 16 recommendations contained in the draft report. Plans of Action and\nMilestones (POAMs) have been created in Trusted Agent FISMA (fAF) for all\nrecommendations. We have successfully completed n:mediation on 10 of the recommendations\nand mitigation efforts continue on the remaining 6.\n\nShould you have any questions or concerns, please contact Lois Jarvis, Deputy Director for the\nICE CFO Office of Assurance and Compliance at (202) 732\xc2\xb76240 or bye-mail at\nLojs,JaryjslQ)dhs.lZov.\n\n\n\n\n              Information Technology Management Letter for the ICE Component \n \n\n                        of the FY 2010 DHS Financial Statement Audit \n \n\n                                          Page 22 \n \n\n\x0c              Department of Homeland Security\n \n\n           Immigration and Customs Enforcement \n \n\n          Information Technology Management Letter\n                     September 30, 2010\n\n\n     Report Distribution\n\n     Department of Homeland Security\n\n     Secretary\n     Deputy Secretary\n     General Counsel\n     Chief of Staff\n     Deputy Chief of Staff\n     Executive Secretariat\n     Under Secretary, Management\n     Assistant Secretary, ICE\n     DHS Chief Information Officer\n     DHS Chief Financial Officer\n     Chief Financial Officer, ICE\n     Chief Information Officer, ICE\n     Chief Information Security Officer\n     Assistant Secretary for Office of Policy\n     Assistant Secretary for Office of Public Affairs\n     Assistant Secretary for Office of Legislative Affairs\n     DHS GAO OIG Audit Liaison\n     Chief Information Officer, Audit Liaison\n     ICE Audit Liaison\n\n     Office of Management and Budget\n\n     Chief, Homeland Security Branch\n     DHS OIG Budget Examiner\n\n     Congress\n\n     Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInformation Technology Management Letter for the ICE Component \n \n\n          of the FY 2010 DHS Financial Statement Audit \n \n\n                            Page 23 \n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'